Skip to main content

decryptStrategyOnce

Strict / airgapped strictness only. Verifies the supplied passphrase against the org's stored verifier, derives the KEK in-process, decrypts the named strategy's encrypted IP fields (code + config + uiBuilderConfig + analysis), zeros the KEK, emits a secrets.passphrase.decrypt_once audit event, and returns the plaintext payload.

Returns errors:

  • STRICTNESS_DOES_NOT_REQUIRE_PER_ACTION — caller's org is on convenience or standard strictness; dashboard should fall back to UnlockModal.
  • NO_PASSPHRASE_VERIFIER — the org has no passphrase configured.
  • WRONG_PASSPHRASE — the supplied passphrase does not match.

Each error path emits a denied audit row with a structured denied_reason so admins can see brute-force patterns on per-action prompts.

decryptStrategyOnce(
strategyID: ID!
passphrase: String!
): Strategy!

Arguments

decryptStrategyOnce.strategyID ● ID! non-null scalar

Strategy ID to decrypt.

decryptStrategyOnce.passphrase ● String! non-null scalar

Plaintext passphrase. Never logged. Zeroed after the operation.

Type

Strategy object